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[57] ABSTRACT 

A firewall for isolating network elements from a publicly 
accessible network to which such network elements a re 
attached. The firewall operates on a' stand alone computer 
co nnected between the | public network ; and the network 
e lements to be protectedsuch that all access to the protect ed 
network elements must go through the firewall. The firewall 
application running on the stand alone computer is prefer- 
ably the only application running on that machine. The 
application includes a variety of proxy agents' that" are 
specifically assigned to an incoming request in accordance 
with the service protocol (i.e., port number) indicated injhe 
mcpmmg.acce^j^uest. An as signed proxy agen t verifi es 
the authority of an jncoming_req uest_ to access a__n etwork 
e lement ind icated in the request. Once verifi ed , the pro xy 
agent_com pletes the connection to the protected netw ork 
element on behalf of the source of the incoming request. 
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FIREWALL SYSTEM FOR PROTECTING 
NETWORK ELEMENTS CONNECTED TO A 
PUBLIC NETWORK 

This is a continuation of application Ser. No. 08/595,957, 5 
filed Feb. 6, 1996, U.S. Pat. No. 5,826,014. 

BACKGROUND 

The present invention relates to a system for protecting 
network elements connected to a public network from access 10 
over the public network, and more specifically, to a firewall 
system for protecting network elements connected to the 
Internet. 

The Internet has experienced, and will continue to 
experience, explosive growth. As originally designed, the 15 
Internet was to provide a means for communicating infor- 
mation between public institutions, particularly universities, 
in a semi-secure manner to facilitate the transfer of research 
information. However, with the development and provision 
of user friendly tools for accessing the Internet, such as the 20 
World Wide Web (the Web), the public at large is increas- 
ingly turning to the Internet as a source of information and v 
as a means for communicating. 

The Internet's success is based, in part, on its support of 25 
a wide variety of protocols that allows different computers 
and computing systems to communicate with each other. All 
of the Internet-compatible protocols, however, find some 
basis in the two original Internet protocols: TCP 
(Transmission Control Protocol) and IP (Internet Protocol). 3Q 
Internet protocols operate by breaking up a data stream into 
data packets. Each of data packet includes a data portion and 
address information. The IP is responsible for transmitting 
the data packets from the sender to the receiver over a most 
efficient route. The TCP is responsible for flow management 35 
and for ensuring that packet information is correct. None of 
the protocols currently supported on the Internet, however, 
provides a great degree of security. This factor has hindered 
the growth of commercial services on the Internet. 

The government, in learning of the Internet's limited ^ 
transmission security capacity, has resorted to encoding 
secure messages using complex encryption schemes. The 
government abandoned consideration of the Internet for high 
security information, relying instead on privately operated 
government networks. The general public, without such 45 
concerns, has come to increasingly use the Internet. 
Furthermore, businesses having recognized the increasing 
public use of, and access to the Internet, have turned to it as 
a marketing mechanism through which to disseminate infor- 
mation about their products, services and policies. 50 

A popular way for commercial institutions to supply 
information over the Internet is to establish a homepage on 
an Internet multi-media service known as the World Wide 
Web. The World Wide Web ("Web") provides a user- 
accessible platform that supplies information in text, audio, 55 
graphic, and video formats. Each homepage document can 
contain embedded references to various media. A Web user 
can interactively browse information by responding to entry 
prompts nested in a screen within a homepage. Web docu- 
ments are accessed by using a TCP/IP compatible protocol 60 
called HyperText Transfer Protocol (HTTP). A user logged 
onto the Internet can access a "Web site" by supplying the 
Web site's address (e.g., "http://snnc.com"). Entry of such 
an address establishes a session between the user and the 
Web site. 65 

Provision of a Web homepage involves establishing a user 
accessible file at a Web site. The Web site can be established 
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on a computing system on the premises of the business or 
institution providing the homepage, or by contracting to 
have the homepage built and supported on the computing 
facilities of an Internet Service Provider (ISP). The assignee 
of the present application, Scientific Research Management 
Corporation (SRMC), is an Internet Service Provider. 

Use of a company's computing system for support of a 
publicly accessible system, such as a Web site, can present 
a threat to the company's internal systems that share the 
same computing platform, or are connected to the publicly 
accessible computing platform. Furthermore, in cases where 
sensitive information is transmitted over the Internet to a 
company, such information is usually stored on the same 
computing system that is used for running the on-line 
Internet system. For instance, some businesses now publish 
homepage catalogs offering services and products for sale. A 
user can select products or services from a homepage 
catalog in an interactive session. After selecting the desired 
products or services, the homepage may present a payment 
screen inviting the user enter credit card inform ation. Han- 
dling of such information over a public network such as the 
Internet, requires some measure of security to prevent the 
information from being intercepted. However, a more 
important consideration is maintaining the security of such 
information once it is received and stored in a computing 
system that is connected to the Internet. 

Most computer crime is not in the form of data 
interception, but involves a network intruder, or "hacker" 
entering a publicly-accessible computing system and sub- 
verting security systems to access stored information. In the 
recent past there have been several publicized cases where 
hackers have stolen proprietary information from purport- 
edly secure computers over the Internet. 

In many cases where a publicly accessible application, 
such as a homepage, is set up on a business or institution's 
premises, it is grafted onto an existing computing system. 
The existing system also may contain other computing 
resources such as data bases, and/or internal network sys- 
tems that are not intended for public access. Provision of a 
publicly accessible on-line system, such as a Web server, on 
such a system can provide a scenario that can be exploited 
by network intruders who may attempt reach systems 
beyond the Web server using it, or other systems bundled on 
the computing platform, as access paths. A company or 
institution may attempt to protect these surrounding systems 
by password protecting them, or by concealing them from 
the public with a system called a firewall. 

Password protected systems are well known. However, a 
password prompt announces the presence of proprietary 
systems and may be an invitation for a hacker to investigate 
further. Because password systems are widely known, they 
are somewhat susceptible to hackers who have developed 
techniques for cracking, bypassing or subverting them. 
Using conventional desktop computers, hackers have been 
known to decipher passwords of reasonable lengths in a very 
short period of time. Provision of longer passwords may 
thwart a hacker's attempts, but at the expense of user 
convenience. 

The term "firewall" was coined in the computer network 
environment to describe a system for isolating an internal 
network, and/or computers, from access through a public 
network to which the internal network or computers are 
attached. The purpose of a firewall is to allow network 
elements to be attached to, and thereby access, a public 
network without rendering the network elements susceptible 
to access from the public network. A successful firewall 
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allows for the network elements to communicate and trans- 
act with the public network elements without rendering the 
network elements susceptible to attack or unauthorized 
inquiry over the public network. As used herein, the term 
"network element" can refer to network routers, computers, 
servers, databases, hosts, modems, or like devices that are 
typically associated with a computer network. 

One technique used by firewalls to protect network ele- 
ments is known as "packet filtering/* A packet filter inves- 
tigates address information contained in a data packet to 
determine whether the packet machine, from which the 
packet originated, is on a list of disallowed addresses. If the 
address is on the list, the packet is not allowed to pass. 

One problem with packet filtering is that when unknown 
address information is encountered in the filtering check 
(i.e., the packet's address is not on the list), the packet is 
usually allowed to pass. This practice of allowing unknown 
packets to pass is based on an Internet design philosophy 
that promotes the ease of information transfer. Hence, most 
firewall systems utilizing packet filtering operate on an 
"allow to pass unless specifically restricted" basis. This 
practice is invoked with the perception that the packet will 
eventually be recognized and appropriately routed down 
stream of the packet filter. However this practice provides 
hackers with a means with which to bypass a packet filter. 

Hackers have developed a technique known as "source 
based routing," "packet spoofing," or "IP spoofing'* wherein 
address information within a fabricated packet is manipu- 
lated to bypass a packet filter. All network elements that are 
addressable over the Internet have an address consisting of 
four octets separated by periods. Each of the octets is an 
eight bit sequence representing a decimal number between 
zero and 255. A host computer on the Internet might have an 
IP address: 19.137.96.1. Source based routing involves a 
hacker inserting an address of a machine that resides 
"behind" a firewall into the source address field of a ficti- 
tious packet. Such a packet can usually pass through a 
firewall because most firewalls are transparent to messages 
that originate from behind the firewall, because the firewall 
assumes that such messages are inherently valid. To prevent 
this type of packet spoofing, the packet filter's list of 
disallowed addresses includes the addresses of elements 
residing behind the firewall. 

Another packet spooring technique involves setting the 
"session active** bit of a packet. By setting this bit in a 
packet, a packet filter receiving the packet assumes that a 
valid session has already been established, and that further 
packet filtering checks are not necessary, thereby allowing 
the packet to pass. Aspoofed packet having its session active 
bit set can contain an "establish connection" message. Such 
a packet can be used to establish a session with a machine 
behind the firewall. 

Additional packet filtering techniques involve investiga- 
tions of data portions of packet to determine whether there 
are any suspect contents, and or investigations of suspect 
protocol designations. However, the drawback of these and 
the aforementioned packet filtering schemes is that, when 
used in combination, they are cumbersome. This practice 
impairs the speed with which packet filters do their job. 

Conventional firewalls also may use an application 
gateway, or proxy system. These systems operate on the 
basis of an application, or a computing platform's operating 
system (OS), monitoring "ports" receiving incoming con- 
nection requests. A port is a numerically designated element 
contained in the overhead of a packet. A port number 
indicates the nature of a service associated with a packet. For 
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example, a packet associated with the Telnet service has a 
port number of 23, and the HTTP service is assigned port 
number 80. These port number designations are merely 
industry suggested, a packet containing a port designation of 

5 23 need not necessarily be associated with Telnet services. 
When the OS or monitoring application receives a request 
on a particular port, a connection is opened on that port. A 
program for managing the connection is then initiated, and 
the firewall starts a gateway application, or proxy, that 

1Q validates the connection request. However, such a system is 
vulnerable and inefficient because of the resource intensive 
nature of the processes involved 

Hackers have been known to inundate a port with large 
numbers of slightly varying access requests in an attempt to 

15 slip a packet by an application gateway or proxy. This 
method of attack is known as a "denial of service attack/' 
The typical response to such an attack is to have the OS shut 
down the targeted port for a period of time. This defense 
response is necessitated by the inefficiency of conventional 

20 port processing. The chain of processes associated with 
monitoring, managing, and verifying port connections is 
very inefficient. A denial of service attack can unduly burden 
system resources. Consequently, the conventional defense is 
to have the OS shut down the port for a period of time. This 

2S security technique prevents entry into a system through that 
port and restores the availability of system resources. 
However, it also prevents a user behind the firewall from 
accessing the port that has been shut down. Hence, this 
security measure is unacceptable. 

30 Another problematic aspect of conventional firewall 
arrangements, from a security perspective, is the universal 
practice of combining a firewall with other packages on a 
same computing system. This arises in two situations. The 
first is where the firewall package, in and of itself, is a 

35 combination of applications. For example, Trusted Informa- 
tion Systems's recently released Gauntlet application is a 
combination Web server and firewall. The second situation 
is the aforementioned practice of hosting publicly accessible 
and/or unrelated services on a same computing platform that 

40 supports the firewall. The services sharing the platform with 
the firewall may include E-mail, Web servers, or even the 
system that the firewall is set up to protect (e.g., a database). 
This situation was discussed briefly above with respect to 
many companies' practice of grafting a firewall application 

45 onto their existing computer systems. 

The provision of applications on top of, or in addition to, 
the firewall on a computing system provides a path through 
which a hacker can get behind the firewall. This is done by 
using the unrelated applications to attack the firewall, or to 

50 directly connect with network elements being protected by 
the firewall. The firewall may fail to recognize the attack 
because the application being exploited by the hacker is 
authorized to communicate through the firewall. In addition, 
the firewall might not be able to protect against unexpected 

55 flank attacks from shared applications because it is set up 
specifically to monitor requests from a designated publicly 
accessible application. Alternatively, the shared application 
may be used to completely bypass the firewall and attack, or 
directly connect to, a protected network element. 

60 An example of a conventional firewall arrangement is 
depicted in FIG. 1. A host computer 100 communicates with 
a institutional computer system 106 over a public network 
102 through a router 104. A router is a network element that 
directs a packet in accordance with address information 

65 contained in the packet. The institutional computer system 
106 supports a variety of applications including a Web 
server 108, and an E-mail system 114. A firewall system 110 
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also is bosted on the institutional computer 106 to protect a In a preferred embodiment the firewall box is a stand 

port 112 that connects an internal network 116 to the alone computing platform dedicated to supporting a firewall 

institutional computer system 106. The internal network 116 application. No other applications, services or processes, 

may support communication between internal terminal(s) other than those related to support of the firewall application 

118 and a database 120, possibly containing sensitive infor- 5 (e.g., an operating system), are to be maintained on the 

mation. Such a firewall system 110, however, is subject to dedicated firewall box. 

attack in many ways. The firewall application running on the firewall box is 

A hacker operating the host computer 100 can utilize comprised of a plurality of proxy agents. In a preferred 
publicly accessible applications on the institutional com- embodiment, individual ,nj]oxyagents are assigned to des- 
puter system 106, such as the Web server 108 or the E-mail 10 ig nated ports to monitor, respond to and verify incoming 
system 114, to flank attack the firewall system 110 or access req uests (i.e., in coming pa ckets) received on the port, 
connect to the internal network port 112. The Web server Port management by the US Or port management programs 
108 or the E-mail system 114 may have authority to attach is limited to simply assigning an appropriate proxy agent to 
to and communicate through the firewall system 110. The an incoming access request on a port. The assigned proxy 
hacker might be able to exploit this by routing packets 15 agent immediately verifies the access request before a con- 
through, or mimicking these network elements, in order to nection is formed. Using simple verification checks, the 
attach to, attack, or completely bypass the firewall system proxy agent determines the authority of the access request, 
110. qui ckly and efficiently discarding unauthorized req uests 

Most conventional firewalls are transparent to packets wifETu't unduly burdening system resources. If the access 

originating from behind the firewall. Hence, the hacker may 20 rcc l ucst * authorized, the assigned proxy agent opens, and 

insert a source address of a valid network element residing thereafter manages, the port connection. In this way, the 

behind the firewall 110, such as the terminal 118, to a proxjragejuJs-fu^^ 

fictitious packet. Such a packet is usually able to pass reso rting to shutting dow n the port, 

through the firewall system 110. Alternatively, the hacker In a preferred embodiment, a proxy agent is assigned to 

can set the session_active bit in the fictitious packet to pass 25 a request based on the service associated with an access 

through the firewall 110. The packet can be configured to request (e.g., the Telnet port number is indicated). Each 

contain a message requesting the establishment of a session proxy agent is thus protocol sensitive to the particular 

with the terminal 118. The terminal 118 typically performs service requirements of an incoming request and can 

no checking, and assumes that such a session request is respond with appropriately formatted messages. However, if 

legitimate. The terminal 118 acknowledges the request and 30 the protocol of an access request is not configured in 

sends a confirmation message back through the firewall accordance with the protocol normally associated with that 

system 110. The ensuing session may appear to be valid to port, the request is discarded. If proper, the proxy agent can 

the firewall system 110. then initiate a set of verification checks to ensure the 

The hacker can also attempt to attach to the port 112. A 35 authority and authenticity of the access request, 

conventional application gateway system forms a connec- Verification tests performed by a proxy agent can involve 

tion to the port before the firewall 110 is invoked to verify any variety of checks, includmg, but not limited to: deter- 

the authority of the request. If enough connection requests minations of vaUdidestinatiSn^ addresses; determination of 

hit the port 112, it may be locked out for a period of time, valid user, or user/password information; validity of an 

denying service to both incoming request from the public ^ access in view of the time period of the access; presence of 

network, and more importantly, denying access to the inter- executable commands within an access request; or any 

nal network 116 for outgoing messages. It is readily apparent combination of the latter, or like determinations. Such tests 

that conventional firewall systems, such as the one depicted are not performed in conventional firewall systems, 

in FIG. 1, are unacceptably vulnerable in many ways. Upon confirming the validity of an incoming access 

It is readily apparent that the design and implementation 4S request, a proxy agent initiates the connection to a network 

of conventional firewalls has rendered them highly vulner- element indicated in the access request, or in response to a 

able to hacker attack. What is needed is a true firewall prompt issued to a user, on behalf of the incoming access 

system that overcomes the foregoing disadvantages and is request This has the effect of shielding the identity of 

resistant to hacker attack. network elements on each side of the firewall from a hacker 

50 who taps a connection on either side of the firewall. The 

SUMMARY firewall also can be used in combination with a packet 

™, . . _ #u x . , . . ,„ filtering scheme to protect against IP spoofing and source 

The present invention overcomes the foregomg disadvan- & . r ^ r & 

tages by providing a firewall system that is resistant to routing. 

conventional modes of attack. A firewall in accordance with BRIEF DESCRIPTION OF THE DRAWINGS 

the present invention is a stand-alone system that physically ss__ . JL ,. r ^ i * . 

resides between a point of public access and a network The foregoing, and omer obj^ts, features and advantages 

element to be protected. A firewall arrangement in accor- of Present invention wrtl be more readily understood 

dance with the invention operates on a computing platform u P° n re * dmg < he foUoW1Dg descn P tlon in co ^ c ' 

that is dedicated to the operation of the firewall. Such a bon ^ ^ m which: 

dedicated firewall computing platform is referred to herein 60 FIG - 1 de P lcts a computer network arrangement having a 

as a "firewall box." The firewall box is connected to a conventional firewall arrangement; 

protected network element by a single connection. FIG. 2 depicts an exemplary computer network arrange- 
Consequently, any communication from a publicly acces- tnent including a firewall arrangement incorporating the 
sible network element to a protected network element must present invention; 

pass through the firewall box. A network element, or 65 FIG. 3 depicts another exemplary computer network 

elements, to be protected by the firewall are connected to the arrangement including a firewall arrangement incorporating 

backside of the firewall. the present invention; and 
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FIGS. 4A and 4B depict a flow diagram depicting an 
exemplary process incorporating the present invention. 

DETAILED DESCRIPTION 

FIG. 2 depicts a block diagram of an exemplary system 5 
incorporating the invention. Network elements in the form 
of a jg fminal'2I jS)and a secure database 218 are connected 
to an internal network 214 that is protected behind a firewall 
210. The _cqnnection 212 between the in ternal networlT2 14 
and the firewall 210 is preferably the only connec tion 10 
b etween these two elements . A publicly accessible comput- 
ing system is connected to a public network 202 through a 
router 204. A connection 208 between the firewall 210 and 
the publicly accessible c omputin g systeni_206,is.preferably 
the sole connection Jbetwee n the firewall 210 and the pub- 15 
liclyaccessible s ystem 206. By providing the firewall 210 in 
this stand alone configuration, any and all access from the 
public network 202 to the internal network 214 must go 
through the firewall 210. Hence, a user operating _a_host 
mac hine 20 0 who attempts to access the internal network 2 o 
2lTvia the public network 202 must go through the firewall 
210. This arrangement is more robust than conventional 
firewall systems that are susceptible to being bypassed either 
physically or through applications sharing the firewall com- 
puting platform. 25 

In preferred embodiments of the invention, the firewall 
210 runs on a dedicated firewall box. That is, the computer 
upon which the firewall 210 is running, is dedicated to the 
firewall application. The processes, programs and applica- 
tions running onjhe firewall computing platform are those 30 
involved'with firewall processes, or their support (ix., the 
computer's operating system). Consequently, there is 
reduced risk of the firewall being bypassed through appli- 
cations sharing the firewall's computing platform. The addi- 
tion of other, unrelated, applications to the firewall box 35 
merely compromises the integrity of the firewall. 

The firewall 210 application is comprised of a variety of 
access request valida tion pro gram s referred to herein a s 
" proxy agent s/' Proxy agents investigate incoming requests 
that seek to access network elements residing behind the 40 
firewall 210. The nature of incoming access requests can 
vary according to a particular port, or service (e.g., HTTP, 
Telnet, File Transfer Protocol (FTP)) that the incoming 
request seeks to attach to. Accordingly, the firewall 210 
application assesses the characteristics of an incomin g 45 
request and as signs an appropriate proxy agent tailored to 
the particular protocol and verification requirements of that 
incoming access request. In a preferred embodiment, there is 
a designated proxy agent for each port. The proxy agent 
assigned to a port performs all of the verification processes 50 
and management of the port without involving the operating 
system, or a port manager (as in conventional systems). 
Because it is dedicated to a particular port, _a proxy_agent is 
capable of providing a more efficient handling of an inco m- 
ing request from both a protocol and a ve rification stan d- 55 
point" The proxy agent makes an i mmediate verificat ion 
check ofan access request before initiating a port oo nnec- 
tionTlf the access is deemed suspect, it is immediately 
discarded. The use of proxy agents is more efficient than 
conventional chained processes involving OS based verifi- 60 
cation routines and port management programs that are 
generic to incoming access requests. By immediately check- 
ing for and discardingcS uspectrpacket s, the proxy agent is 
capable, offres^tm g dern^lffifisel^ra^ 

to shut down the port. 65 

In acco romance with another aspect of exemplary embodi- 
ments of the invention, a proxy agent can include a tailored 
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set of verification tests. The rigorousness of the tests can be 
dictated by the characteristics of the access request. For 
instance, the source address of an access request can be 
investigated to determine whether the request is suspect or 
credible. An inherently reliable request may require only a 
minimum of verification before being connected. While a 
suspect request may require enhanced verification. Access 
request verification can include analysis of: source host 
machine and source user mformation^d^e^nalion^hpst 
machine^and-destinjrtionn^r^^^^ time of 

"day analysisTThese or other tests can be interactive in nature 
and prompt a source user to enter user/password informa- 
tion. In some cases a user may be required to enter a valid 
destination machine address or ID. In accordance with 
exemplary embodiments of the invention any combination 
of the foregoing, or other, tests can be performed by a given 
proxy agent depending on the verification requirements of a 
particular incoming access request. 

A more detailed depiction of an exemplary system in 
accordance with the present invention is shown in FIG. 3. 
The figure illustrates a network scenario involving commu- 
nication over a public network 306, such as the Internet. An 
institutional service provider 310 is attache*! to the public 
network 306 through a router 308. The institutional service 
provider 310 has a publicly accessible network 312. A user 
300 operating a host computer 302 can access the publicly 
accessible network 312 through the public network 306 (via 
routers 304 and 308, respectively). 

The institutional service provider 310 may be an ISP that 
develops software on internal computers 324 and 326 for 
distribution and sale. Free software can be supplied to users 
who access a public Web server 314 on the internal, publicly 
accessible, network. The institutional user 310 also may 
provide information about its products or services by estab- 
lishing a home page on the publicly accessible Web server 
314. The publicly accessible network 312 also may have a 
public E-mail system 316. Authorized subscribers may be 
permitted to access proprietary software offered on a pro- 
tected Web server 322 by accessing the institution's internal 
network 328. The internal network 328 also can have a 
secure E-mail system 320 for internal communication. The 
internal network 328 is protected from public access by a 
firewall 318 incorporating the present invention. 

The firewall 318 permits the internal network 328 to be 
attached to the public network 306 (through the publicly 
accessible network 312) without rendering the secure net- 
work 328 open to public access. The firewall 318, in 
accordance with preferred embodiments of the invention, 
physically separates the publicly accessible network 312 
from the internal network 328. Consequently, all communi- 
cations attempting to access the internal network 328, or any 
network elements attached thereto, must pass through the 
firewall 318. To secure it from direct (i.e., keyboard) access, 
the firewall 318 is preferably maintained in a secure location 
on the premises of the institution 310. 

The firewall 318 can run on a general purpose computer. 
Such a computer, in accordance with preferred 
embodiments, is a stand alone machine, or firewall box, 
dedicated to the firewall application. The addition of other 
programs to the firewall box merely undermines the strength 
of the firewall 318. Such additional programs can be used to 
bypass, or attach to and attack the firewall 318. 

The firewall application comprises a plurality of proxy 
agents that are assigned.to.investi gate and bandle .aiiincom- 
ing access requests. A proxy agent is preferably^assigned.in 
accordapce with a port number designation-indicated in a 
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request. The assigned proxy agent processes the access network elements during certain periods (e.g., between 7:00 

request, forms the connection, if verified, and manages the am and 5:00 p.m. U.S. pacific standard time). The time 

completed connection. A designer can- dictate^baLset, of period check can include any combination of time of day, 

verification tests are to be run on a particular incoming day of week, week of month, month of year, and/or year, 

request. For instance, an assigned proxy agent can first 5 a fourth check can be invoked to determine whether tBTT 

check to ensure that the protocol of the access request destination address indicated by an access request is autho- 

matches that of the indicated port. If there is a discrepancy, ^ ^ check can ^ performed by ^mining packet 

the request is denied A next check can involve mvestigation destination address information, or possibly bv p romoting a 

of a source address (i.e., the host machine from which the pgn^nt cr the m formation. For example, in File Transfer 

access inquiry ongmated)ofthe access request This permits 10 ?ro{ocol (FTP) requStsTthe user may be required to enter 

the proxy agent to make an initial assessment of the authen- ^ dcstinatioQ address ( -uscmamcShosT) in response 

ticity of the request. If a particular source has a higher to a gener ated by the assigned proxy agent. 

probability of generating suspect packets (e.g., an unknown A r r , ...... . j j- ^ 

r . . ' » \ . ii * 1 A proxy agent can also run tests that intercept and discard 

university computer) a proxy agent can optionally invoke a iL c n 

. r • c * ♦ u™.-«« *f any messages that attempt to initiate a process on the firewall 

more ngorous series of verification tests. However, if the 1? ^ . * _ f t . . • 

. . . / c u , * j 318 itself. For example, a conventional system having 

source is inherently secure (e.g., a firewall protected , „ , t . • , , .• . 

4 , . j z • ** *4U bundled applications may include an application such as 

machine at a company s headquarters commumcatmg with _ ..^ - 4 I *i j v 

• -n o_t\ ** \ *il * • u» j a ~ *i ♦ SendMail. SendMail, m addition to providing mail delivery, 

their R&D site) the proxy agent might proceed directly to , 4 . . t ' « j . , • j 

• r . . *Ti. j * * * * u 4 also contains features for collecting and tracking source and 

connecting the incoming request with a destination host . r t . r ., ™ . , 

, . % Jf . , 7. • , ■ . destination mformation of mail messages. The information 

machine. Once the source is determined, the proxy agent can 9n , . , , , , . , . & „ , 0 _ # 

.... f -c *■ u 1 '* a derived by a hacker through execution of such SendMail 

run an appropriate combination of verification checks suited / . , ^ & , . 

- » a *1 £ 4 L . j - « > . F commands can be used to gain access to secure network 

to the integrity of the request as indicated by its source. In , T , 5 , ... 

. t : , • . ■ *L„ „ ^ . elements- Hence, a proxy agent in accordance with the 

the event that a legitimate user is accessing a protected . . • , _, •+ . * t. i c 

network element using suspect computer (4, a visiting «° ^hide, wjthu, its set of tests, a check for 

professor logging on £ a university's host computer rather 25 out ^ d A d f aldm 8 P^kets having nested execut- 

ft. u- u *k « \ •» „ o^,,^*-™™... *~ able commands. A firewall incorporatmg the invention can, 

than his or her office computer) it may be advantageous to , _ ... 4 . • ^ e i i * 

„ , .1 . „„u, .fii, , mrtW „*„™^„c however, facihtate the communication of normal electronic 

allow such a user through, but only alter a more ngorous set __ ... , , , , 

of interactive verification tests. However, the packet source messa f! • B H f nce > v f d ca ° be , ^ n the 

address need not necessarily dictate the particular combina- flr ^Pf 8 t0 an mtemal E ' mali SyStem 320 rf ° therW1Se 

tion of verification tests performed by the proxy agent. A 30 au ° . . 

proxy agent can have a fixed set of verification tests based ^ checks described do not represent an exhaustive list 

on the port designation. The particular selection of verifi- of available verification checks. They merely represent a 

cation checks is discretionary. Several such checks are of access validation checks and are described to 

described below assist * n describing exemplary embodiments of the inven- 

Source address verification can be based on a check of the 35 ^ ? artiCUl " ^T^ Q ^Jf 8 * discretio ° ar y- 

validity of on or more specific addresses, or, on a range of 0ther ^ ecks <* n be added 35 deemed fit or necessarv for _ a ^ 

address values (e.g., the first octet has a value of between particular scenario. -\ 

zero and 100). Such a check involves a determination of After a proxy agent successfully completes its set of one 

whether a host source address of an incoming packet com- or more verification tests, the proxy agent initiates a con- V 

ports with a fist of authorized or unauthorized addresses, or 40 nection request to the destination machine (and port) on 

is within a designated range. If the source address is not on behalf of the incoming access request. The purpose of this 

the list, the packet is discarded. Referring back to FIG. 3, in practice is to maintain anonymity on each side of the 

the event that the external user 300 attempts to contact a firewall. A party tapping either of tbe connections entering 

network element behind the firewall 318, the proxy agent or exiting the firewall only "sees" the elements on each side 

can check the source address of the host computer 302. If the 45 of the tap, but not those beyond the tap. 

proxy agent determines that the host computer 302 does not In accordance with another aspect of exemplary embodi-l 

have an authorized address, the request originating from the ments of the invention, security is supplemented by per-J 

host computer 302 is discarded. forming packet filtering on incoming access request packets J 

A second check can be used to determine the authority of Such packet filtering can be provided either by the operating* 

an access request based on the identity of a user seeking to 50 system of the firewall box, or by a router, such as router 308 1 

/ gain access. This may involve interactively prompting the In accordance with preferred embodiments, the packet fil-1 

user 300 to enter either a user name, or a user/password tering is directed to eliminating source baseoVrouting.|| 

combination. Because the proxy agent is protocol sensitive, Therefore, the packet filter maintains a list of addressesffl 

it is designed to issue prompts in accordance with the format corresponding to network elements residing behind_the| 

indicated by the port number of the incoming access request. 55 firewall 318. ILany incoming ^access request J.as^sourcei 

A particular user may have limited access, in which case the address of jLnejwork element behind the firewall 318, ^ that | 

user may be prompted to enter the address of the destination packet will be intercepteoVand diseased, 

machine to be accessed. If the proxy agent determines that FIGS. 4A and 4B depict a flow diagram of an exemplary 

the user is not authorized to access the requested destination process for analyzing an access request received at the 

machine, the user can be re-prompted to enter another 60 firewall 318 of FIG. 3. The process described is merely 

destination machine, or the request can be discarded alto- exemplary, and any combination of checks or steps may be 

gether. performed in accordance with a selected combination of 

A third check can be performed to determine whether the checks. Furthermore, the order of step execution can be 

time period during which an access request is being made is altered as needed for a particular scenario, 

authorized in and of itself, or for a particular user, source 65 Consider the situation where the user 300 in FIG. 3 is 

address, or destination address indicated in the request. For authorized to access the Web server 322 that resides behind 

example, the check can permit access to a certain class of the firewall 318. To access the Web server 322, the user 300, 
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operating the host computer 302, first logs onto to a public 302 is authorized to access the particular destination (e.g. 

network (step 400), that is compatible with TCP/IP proto- Web server 322) (step 432). If not authorized, the access is 

cols. To access me Web server of the institution 310, the user denied (step 434). An additional proxy agent check caa 

300 enters an app ropriate address (step 402), such as determine whether the particul ar networkelement to w hich 

"http:\\weowno.com . ihe access request is received by a 5 the user_3Q 0 is attemp tingt o gain access toisavailable to the 

router3Q4 which forw afrift thft menage, [he Interne t 306. particular user (step 4361 If not autborized T the acc ess 

The Internet may forward the message through a series of request is denied (step 438). 

routers and present it to a router 308 that services the If after the proxy agent has completed its set of tests it is 

institution 310. determined that the access request is authorized, the proxy 

Because the access request seeks to access a destination 10 agent initiates a connection to the Web server 322 on behalf 

address residing behind the firewall 31ft, the acpess reques t of the source machine 300 (step 440). Because the firewall 

message is presented to the firewall 31 8 (step 404). In forms a connection (using a proxy agent) following the 

accordance with an exemplary embodiment, a proxy agent completion of validation checks associated with the proxy 

runninj ^on the firewall 318 is assigned to the access requ est agent's test set, the firewall functions as a Bastion host, or 

in accordance with a preli minary analysis of lhe p ort number 15 firewall server? on behalf of the access request source. By 

desig nation witfiinthe packet repjy s entin g j he access requ est using the firewall as a Bastion host, or firewall server, to act 

(step 406). In this case, port number 80 (HTTP) would on behalf of the user accessing the secure network 328, the 

ordinarily be designated in the request. The assessment also identity of internal network elements is not revealed because 

can involve a determination of whettejhe serviceindicated the firewall 318, acting as an intermediary, shields the 

by the port number coinports.with the contents of the request 2 q identity of the /network elements for whom it is acting on 

(step 408). That- is, does the request indicate one service behalf of. All the external user sees, in terms of addresses, 

(port number) while being formatted for another. If there is is the firewall. If an internal connection is tapped onto, a 

disparity, the access is denied (step 410). valid source address or user identity is not available to the 

The proxy agent can then analyze a source address to hacker as the firewall 318 appears to be the source of the 

determine whether the host computer 302 from_which the 15 connection. Hence, a firewall arrangement in accordance 

message originated-is-authorized to access the secure Web with the invention provides two-way transparency, 

server 322 (step 412). As described above, this.check can be Another aspect of an exemplary embodiment of the 

used to op^naUyjuvoke^jBore rigorous set of .verification invention involves sending an "out-of-band" system mes- 

checks if the source is unknown or suspect This assessment sage in response to a username or username/password 

can involve a comparison of the source-address with a list of 30 combination provided by a user. Such a system involves 

authorized or unauthorized addresses maintained by the communicating a password, or password portion, back to a 

proxy agent (step 414). In the exemplary case here, .if the user on a communication medium other than the computer 

source address is not authorized (Le., the source address is network being used. The user enters the information 

not on the list), the access request is denied (step 416). The received by out-of-band means to complete a logon process, 

extent to which a proxy agent verifies the vah'dity_of an 35 For example, a user can be prompted to enter their username 

access request can vary. It should be noted that in some and the first half of a password. The system receiving this 

cases, a proxy agent may need do little more than verify information, upon verifying it, sends back the remaining half 

address information before initiating a connection to the of the password to the user by automatically generating a 

destination device on behalf of the source host. phone call to a beeper provided to the user. The beeper's 

Alternatively, if a source address is suspect, or a proxy 40 display indicates the remaining password portion which is 

agent's set of checks is fixed, the proxy agent can perform then entered by the user to complete the logon. The identity 

additional checking. of the user is thereby authenticated. A hacker does not 

In the present exemplary scenario the access request possess the means to receive the out-of-band response (i.e., 

message is further analyzed to determine whether the access the beeper). The password, or password portion sent back to 

request is being received during an authorized time period, 45 the user by out-of-band means can be a random number 

such as a time of day (step 418). If the time of day during generated by the firewall system. 

which the access request is received is not authorized, the Another aspect of exemplary firewall systems operating in 
connection request is denied (step 420). The time of day accordance with the invention is that all processes, including 
assessment can be tailored for specified users, source host proxy agents, running on the firewall, operate in a "daemon 
machines, and/or IP addresses. For example, to prevent 50 mode." When a computer operating system receives a 
evening hacking by users in Canada, North, and South request to perform a task it will open up a job and designate 
America, such users may be denied access other than during a corresponding job number in order to provide and manage 
normal U.S. business hours. A user in India, however, resources associated with that job. When the task is corn- 
operating during Indian daylight hours, may be allowed to pie ted the operating system designates the job for closure, 
access the system during U.S. evening hours. 55 However, the actual closure of the job and removal of the 
A proxy agent also can assess whether user or user/ corresponding job number does not always take place imme- 
password information is necessary to gain access (step 422). diately because it is considered to be a low priority task. This 
If not, the proxy agent can initiate the connection (step 424). occasionally leaves an idle job open on the system awaiting 
If the information is required, the proxy agent prompts the closure. Hackers have learned that they can exploit such an 
user with an appropriately formatted message to enter a 60 idle job, reactivate its status, and access resources available 
username and/or password information (step 426). The user to the job. By operating in a daemon mode, the operating 
name and/or password information is checked (step 428). If system of the firewall box immediately shuts down jobs 
an unauthorized user name is entered, or the password is following the completion of designated tasks, 
invalid, the access request is denied (step 430). If a valid When a computer upon which the firewall is running is 
user name, or user/password combination is entered, the 65 operating in a UNIX environment, there are UNIX-specific 
proxy agent can make further assessments, if deemed nec- security measures that can be invoked. One such security 
essary or appropriate, to .determine whether the host machine measure is the "changeroot" feature. A "root" user is a user 



04/21/2003, EAST Version: 1.03.0002 



6,061,798 



13 



14 



having high levels of access to files branching from a "root 
directory." If a network intruder can access a root directory, 
the network intruder may be able to access to the files 
hierarchically emanating from the root directory. In accor- 
dance with another aspect of a secure database system 
incorporating the present invention, all jobs running on the 
firewall system and on the secure database system are 
preceded by a "changeroof command to change the identity 
of the root directory. A new root directory is created by 
execution of this command that can be used for transaction- 
specific purposes. This new directory does not have access 
to any of the original file directories branching from the 
original root directory. Consequently, if a hacker is able to 
access information associated with a job, corresponding root 
directory data will be useless. 

Another aspect of a system in accordance with the inven- 
tion is the use of aliases by the firewall when addressing 
machines residing behind the firewall. A machine behind the 
firewall can be addressed by the firewall according to an 
alias of its actual IP address. Hence, if a hacker is somehow 
able to tap the firewall, any addresses detected by the hacker 
corresponding to machines attached to the backside of the 
firewall will be fictitious. 

An additional security feature that can be provided in the 
firewall system is a transaction log. Such a log gathers 
information associated with any access-request message 
seeking to connect to or inquire about network elements 
residing behind the firewall. Information gathered in such a 
transaction log may include, but is not limited to, the source 
address (what is the identity of the machine from which the 
request originated), the IP address (which Internet port 
system did the request originate over), .the .destiaatipn 
a ddress (who is t he reque st trying to reach), time of access, 
and/or Ifie identity or user (who is using the source 
machine). This information can facilitate the identity of a 
hacker if the hacker's activities require legal attention. 

The exemplary scenarios described above are directed 
primarily to situations where outside users are attempting to 
access network elements residing behind a firewall. It should 
be noted, however, that a firewall in accordance with the 
present invention also can be utilized to monitor and control 
packet traffic originating from behind a firewall, allowing 
and disallowing connection based upon predetermined rules. 
Hence, a firewall incorporating the invention also can be 45 
used to control what, where, who, how and when a user 
behind the firewall can access the outside world This can be 
done in addition to monitoring and controlling incoming 
traffic. 

Because exemplary embodiments involve the operation of 50 
computing systems, an exemplary embodiment of the inven- 
tion can take the form of a medium for controlling such 
computing systems. Hence, the invention can be embodied 
in the form of an article of manufacture as a machine 



readable medium such as floppy disk, computer tape, hard 
drive disk, CD ROM, RAM, or any other suitable memory 
medium. Embodied as such, the memory medium contains 
computer readable program code which causes a computing 
5 system upon which the firewall system is running to function 
or carry out processes in accordance with the present inven- 
tion. 

An exemplary application of the invention has been 
described protecting an internal network. However, one 
10 skilled in tie art will readily appreciate and recognize that 
the firewall system or method of operation in accordance 
with the invention can be applied in any scenario requiring 
the protection of network elements that are attached to a 
publicly accessible medium, such as the Internet. The inven- 
15 tion provides the benefit of attaching a system to a public 
network with reduced apprehension of that system being 
compromised over the public network. 

The invention has been described with reference to par- 
ticular embodiments. However, it will be readily apparent to 
those skilled in the art that it is possible to embody the 
invention in specific forms other than those of the embodi- 
ments described above. Embodiment of the invention in 
ways not specifically described may be done without depart- 
ing from the spirit of the invention. Therefore, the preferred 
embodiments described herein are merely illustrative and 
should not be considered restrictive in any way. The scope 
of the invention is given by the appended claims, rather than 
by the preceding description, and all variations and equiva- 
lents which fall within the range of the claims are intended 
to be embraced therein. 
What is claimed is: 

1. A firewall system for protecting network elements 
comprising: 

a computing platform having a microprocessor and 
memory storage, wherein said computing platform 
provides access from a network connection to at least 
one network element, wherein said memory contains 
instructions causing said microprocessor to perform the 
steps o£ 

initializing a plurality of proxy agents, wherein each of 
said proxy agents is assigned a corresponding port 
number and protocol; 
verifying Jhat^incoming.connection requests are for- 
mattegLm_accor dance wi th said corresponding pro- 
tocol; 

logging information associated with incoming connec- 
tion requests; and, 
processing received packets to determine the presence 
of executable commands nested within received 
packets, and if detected, discarding said received 
packets. 
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